Firefox State Error Lets Remote Server Spoof Arbitrary Secure Web Sites
|
|
SecurityTracker Alert ID: 1010774
|
|
SecurityTracker URL: http://securitytracker.com/id?1010774
|
|
CVE Reference: CAN-2004-0763
(Links to External Site)
|
|
OSVDB Reference: 8234
(Links to External Site)
|
Updated: Aug 6 2004
|
Original Entry Date: Jul 26 2004
|
Impact: Modification of system information
|
Exploit Included: Yes
|
Version(s): 0.9.1, 0.9.2
|
Description: A certificate spoofing vulnerability was reported in Mozilla Firefox. A remote web server can spoof the certificate of another web site.
Emmanouel Kellinis reported that a remote user can create specially crafted HTML that will exploit a flaw in Firefox to display content
within a web page that appears to have the certificate of an arbitrary secure web site.
The exploit involves using a META Refresh
tag to point to the target web site and a BODY tag with 'onunload' code to invoke the document.close() function, causing the browser
to close the Refresh redirection. Then, the remote user's code can use the document.write() function to write arbitrary content.
The browser may not display the arbitrary content, so a window.location.reload() function call may be required to refresh the arbitrary
content, causing the content to be displayed.
This will reportedly cause the remote user's URL to be displayed in the address
bar but the 'secure' icon to be displayed with the certificate of the spoofed web site.
SSL is not required on the remote user's
site.
Some demonstration exploit code is provided:
< HTML>
< HEAD>
< TITLE>Spoofer< /TITLE>
< META HTTP-EQUIV="REFRESH"
CONTENT="0;URL=https://www.example.com">
< /HEAD>
< BODY
onunload="
document.close();
document.writeln('< body onload=document.close();break;>
< h3>It is Great to Use example's Cert!');
document.close();
window.location.reload();
">
< /body>
|
Impact: A remote web server can spoof the digital certificate of an arbitrary secure web site.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.mozilla.org/products/firefox/ (Links to External Site)
|
Cause: State error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Underlying OS Comments: Tested on Windows
|
Reported By: "E.Kellinis" <me@cipher.org.uk>
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Sun, 25 Jul 2004 19:44:04 -0700
From: "E.Kellinis" <me@cipher.org.uk>
Subject: [Full-Disclosure] Mozilla Firefox Certificate Spoofing
|
#########################################
Application: Mozilla Firefox
Vendors: http://www.mozilla.com
Version: 0.9.1 / 0.9.2
Platforms: Windows
Bug: Certificate Spoofing (Phishing)
Risk: High
Exploitation: Remote with browser
Date: 25 July 2004
Author: Emmanouel Kellinis
e-mail: me@cipher(dot)org(dot)uk
web: http://www.cipher.org.uk
List : BugTraq(SecurityFocus)/ Full-Disclosure
#########################################
=======
Product
=======
A popular Web browser,good alternative of IE and
"The web browser" for linux machines,
used to view pages on the World Wide Web.
===
Bug
===
Firefox has caching problem, as a result of that someone can
spoof a certificate of any website and use it as his/her own.
The problem is exploited using onunload inside < body> and
redirection using Http-equiv Refresh metatag,document.write()
and document.close()
First you direct the redirection metatag to the website
of which you want to spoof the certificate, then inside
the < body> tag you add onulnoad script so you can control
the output inside the webpage with the spoofed certificate.
After that you say to firefox, as soon as you unload this page
close the stream, aparently the stream you close is
the redirection website, you do that with
document.close().
Now you can write anything you want , you do that
using document.write(). After writing the content of you choice
you close the stream again , usually firefox wont display your content,
although if you check the source code you see it , so the last thing
is to refresh the new page (do that using window.location.reload()),
after that you have your domain name in the url field , your content
in the browser and the magic yellow Lock on the bottom left corner,
if you pass your mouse over it you will see displayed the name of
the website you spoofed the certificate, if you double click on it you
will check full information of the certificate without any warning !
You dont need to have SSL in your website ! it will work with
http.
Additional using this bug malicious websites can bypass content
filtering using SSL properties.
=====================
Proof Of Concept Code
=====================
< HTML>
< HEAD>
< TITLE>Spoofer< /TITLE>
< META HTTP-EQUIV="REFRESH" CONTENT="0;URL=https://www.example.com">
< /HEAD>
< BODY
onunload="
document.close();
document.writeln('< body onload=document.close();break;>
< h3>It is Great to Use example's Cert!');
document.close();
window.location.reload();
">
< /body>
=========================================================
*PK:http://www.cipher.org.uk/files/pgp/cipherorguk.public.key.txt
=========================================================
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
|
|
